vet


Namevet JSON
Version 0.1.1.post4 PyPI version JSON
download
home_pageNone
SummaryA poetry plugin for establishing chain of trust
upload_time2024-04-01 01:05:17
maintainerNone
docs_urlNone
authorRafael Irgolic
requires_python<4.0,>=3.10
licenseNone
keywords
VCS
bugtrack_url
requirements No requirements were recorded.
Travis-CI No Travis.
coveralls test coverage No coveralls. 
            <div align="center">

# `vet`

A poetry plugin for establishing chain of trust  
Inspired by [cargo-vet](https://github.com/mozilla/cargo-vet)

</div>

## Installation

Depending on how you installed poetry, you may need to install `vet` in a different way.

If you used the self-installer:
    
```bash
poetry self add vet
```

If you used pipx:

```bash
pipx inject poetry vet
```

If you used pip:

```bash
pip install vet
```

For more information and troubleshooting, see the [poetry plugin installation docs](https://python-poetry.org/docs/plugins/#using-plugins).

## Usage

### Initialization

Initialize `vet` in your project:

```bash
poetry vet init
```

This will create a [`chain-of-trust` directory](chain-of-trust/) in your project.
See the [generated README](chain-of-trust/README.md) for more information on how to configure `vet`.


### Running checks

To audit your project dependencies, run:

```bash
poetry vet
```

Dependencies are trusted to be either **safe to run** or **safe to deploy**. 
Upon initialization, all dependencies in the `poetry.lock` file are exempt, deemed **safe to run**.

To vet dependencies as **safe to deploy**, run:

```bash
poetry vet --safe-to-deploy
```

For an example of how to run `vet` in GitHub CI, see [the `ci.yml` file in this repository](https://github.com/irgolic/vet/blob/main/.github/workflows/ci.yml#L15).

### Importing Audits

Modify the `config.toml` file as per the example in [the generated README](chain-of-trust/README.md#imports).

Then run:

```bash
poetry vet lock
```

This will download the audits from the trusted sources specified in the `config.toml` file and store them in the `import.lock` file.

### Auditing

Audit dependencies manually by adding entries in the `audits.toml` file as per the example in [the generated README](chain-of-trust/README.md#audit-file-auditstoml).

## Background

This was thrown together in an afternoon; after the [xz backdoor](https://boehs.org/node/everything-i-know-about-the-xz-backdoor) I thought we need better visibility into our dependency trees.

Raw data

            {
    "_id": null,
    "home_page": null,
    "name": "vet",
    "maintainer": null,
    "docs_url": null,
    "requires_python": "<4.0,>=3.10",
    "maintainer_email": null,
    "keywords": null,
    "author": "Rafael Irgolic",
    "author_email": "hello@irgolic.com",
    "download_url": "https://files.pythonhosted.org/packages/0f/e4/84066397b7bcc90d6021383f9ec6b0ed77d7a16f732c92dc4d19a75aff8f/vet-0.1.1.post4.tar.gz",
    "platform": null,
    "description": "<div align=\"center\">\n\n# `vet`\n\nA poetry plugin for establishing chain of trust  \nInspired by [cargo-vet](https://github.com/mozilla/cargo-vet)\n\n</div>\n\n## Installation\n\nDepending on how you installed poetry, you may need to install `vet` in a different way.\n\nIf you used the self-installer:\n    \n```bash\npoetry self add vet\n```\n\nIf you used pipx:\n\n```bash\npipx inject poetry vet\n```\n\nIf you used pip:\n\n```bash\npip install vet\n```\n\nFor more information and troubleshooting, see the [poetry plugin installation docs](https://python-poetry.org/docs/plugins/#using-plugins).\n\n## Usage\n\n### Initialization\n\nInitialize `vet` in your project:\n\n```bash\npoetry vet init\n```\n\nThis will create a [`chain-of-trust` directory](chain-of-trust/) in your project.\nSee the [generated README](chain-of-trust/README.md) for more information on how to configure `vet`.\n\n\n### Running checks\n\nTo audit your project dependencies, run:\n\n```bash\npoetry vet\n```\n\nDependencies are trusted to be either **safe to run** or **safe to deploy**. \nUpon initialization, all dependencies in the `poetry.lock` file are exempt, deemed **safe to run**.\n\nTo vet dependencies as **safe to deploy**, run:\n\n```bash\npoetry vet --safe-to-deploy\n```\n\nFor an example of how to run `vet` in GitHub CI, see [the `ci.yml` file in this repository](https://github.com/irgolic/vet/blob/main/.github/workflows/ci.yml#L15).\n\n### Importing Audits\n\nModify the `config.toml` file as per the example in [the generated README](chain-of-trust/README.md#imports).\n\nThen run:\n\n```bash\npoetry vet lock\n```\n\nThis will download the audits from the trusted sources specified in the `config.toml` file and store them in the `import.lock` file.\n\n### Auditing\n\nAudit dependencies manually by adding entries in the `audits.toml` file as per the example in [the generated README](chain-of-trust/README.md#audit-file-auditstoml).\n\n## Background\n\nThis was thrown together in an afternoon; after the [xz backdoor](https://boehs.org/node/everything-i-know-about-the-xz-backdoor) I thought we need better visibility into our dependency trees.\n",
    "bugtrack_url": null,
    "license": null,
    "summary": "A poetry plugin for establishing chain of trust",
    "version": "0.1.1.post4",
    "project_urls": null,
    "split_keywords": [],
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "1c342e74af29968a34d64e81d85d46722551a6b1ebbf93a4683a53e2705d8df7",
                "md5": "dbe8c4a1c44825936d8cfff1054486e2",
                "sha256": "f0a9cf28406c656b92f95da2bf182887d5f1a8586c4878308cedf36f55cf822c"
            },
            "downloads": -1,
            "filename": "vet-0.1.1.post4-py3-none-any.whl",
            "has_sig": false,
            "md5_digest": "dbe8c4a1c44825936d8cfff1054486e2",
            "packagetype": "bdist_wheel",
            "python_version": "py3",
            "requires_python": "<4.0,>=3.10",
            "size": 49555,
            "upload_time": "2024-04-01T01:05:15",
            "upload_time_iso_8601": "2024-04-01T01:05:15.457341Z",
            "url": "https://files.pythonhosted.org/packages/1c/34/2e74af29968a34d64e81d85d46722551a6b1ebbf93a4683a53e2705d8df7/vet-0.1.1.post4-py3-none-any.whl",
            "yanked": false,
            "yanked_reason": null
        },
        {
            "comment_text": "",
            "digests": {
                "blake2b_256": "0fe484066397b7bcc90d6021383f9ec6b0ed77d7a16f732c92dc4d19a75aff8f",
                "md5": "3b86664b6c9438553db6303ed3a87b96",
                "sha256": "22915579241cabbd429812c83287fc8867fa05e1c1cbbfdd8a9fbbc79582d565"
            },
            "downloads": -1,
            "filename": "vet-0.1.1.post4.tar.gz",
            "has_sig": false,
            "md5_digest": "3b86664b6c9438553db6303ed3a87b96",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": "<4.0,>=3.10",
            "size": 46770,
            "upload_time": "2024-04-01T01:05:17",
            "upload_time_iso_8601": "2024-04-01T01:05:17.245605Z",
            "url": "https://files.pythonhosted.org/packages/0f/e4/84066397b7bcc90d6021383f9ec6b0ed77d7a16f732c92dc4d19a75aff8f/vet-0.1.1.post4.tar.gz",
            "yanked": false,
            "yanked_reason": null
        }
    ],
    "upload_time": "2024-04-01 01:05:17",
    "github": false,
    "gitlab": false,
    "bitbucket": false,
    "codeberg": false,
    "lcname": "vet"
}
Rafael Irgolic
Elapsed time: 0.66885s